THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

Slides:



Advertisements
Similar presentations
Cross-site Request Forgery (CSRF) Attacks
Advertisements

Chapter 14 – Authentication Applications
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
FI-WARE Testbed Access Control temporary solution.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems San-Tsai Sun and Konstantin Beznosov University of British Columbia.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
An Evaluation of the Google Chrome Extension Security Architecture
Access Control Methodologies
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Martin Kruliš by Martin Kruliš (v1.0)1.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
OWASP Zed Attack Proxy Project Lead
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Prevent Cross-Site Scripting (XSS) attack
Remotely authenticating against the Service Framework.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
JavaScript, Fourth Edition
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
Secure Credential Manager Claes Nilsson - Sony Ericsson
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Ram Santhanam Application Level Attacks - Session Hijacking & Defences
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park.
Yuchen Zhou and David Evans Presented by Simon du Preez Compsci 726 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Your friend, Bluestem. What is Bluestem? “Bluestem is a software system which enables one or more high-security SSL HTTP servers in a domain (entrusted.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Web2.0 Secure Development Practice Bruce Xia
Securing Angular Apps Brian Noyes
Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.
Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.
Web Login, Cookies Web Login | Old way HTML
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
Secure Mobile Development with NetIQ Access Manager
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
CSCE 548 Student Presentation Ryan Labrador
Web Application Vulnerabilities
NodeJS Security Using PassportJS and HelmetJS:
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Migrating SharePoint Add-ins from Azure ACS to Azure AD
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,
CSC 495/583 Topics of Software Security Intro to Web Security
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Cross Site Request Forgery (CSRF)
Presentation transcript:

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI 726 SEMINAR 1

MOTIVATION Contribution: Uncover several critical vulnerabilities in OAuth SSO systems and relate them to a set of design decisions Problem: Previous research suggests that the protocol is secure BUT some implementation details could be inadvertently left out Sometimes developer may trade security for implementation simplicity and create some vulnerabilities Attacker can gain unauthorized access to victim user’s personal data on RP or IdP websites 2

WHAT IS SINGLE SIGN-ON? Session/user authentication process SSO credentials – token and authorization code Identity providers Relying parties Identity providers provide a token, which represents an user, to relying party for accessing resources as the logged in user 3

OAUTH 2.0: SERVER-FLOW Intended for web applications that receive access tokens from their server-side program logic 4

OAUTH 2.0: CLIENT-FLOW Intended for Javascript applications running in a web browser as they can’t embed a secret key 5

METHODOLOGY Authors treated RPs and IdPs as black-boxes and analysed HTTP messages Exploratory study vs. Confirmatory study Examined implementations of: 3 major IdPs Google Facebook Microsoft Adversary Model – Web Attacker or Passive Network Attacker 96 Facebook RPs listed on Google Top 1,000 websites 6

DESIGN DECISIONS OAuth 2.0 offers support for public clients that cannot keep their client secret secure Drops digital signatures in favour of SSL for RP-to-IdP communication IdPs offer an automatic authorization granting feature and SDK library 7

RESULTS - OVERALL Results uncover several critical vulnerabilities Confidentiality of temporary secret key can be compromised 8

ACCESS TOKEN EAVESDROPPING Access tokens can be eavesdropped by sniffing on unencrypted communication between browser and RP server In contrast to OAuth specification, 32% of RPs’ access tokens can be eavesdropped RPs store access token into a HTTP cookie on RP domain by default – no secured or HTTP-only attributes 9

ACCESS TOKEN THEFT VIA XSS Automatic authorization granting feature Theft possible by injecting a malicious script into any page of RP website Two exploits were designed to evaluate this vulnerability Exploit 1 uses current page as the redirect URI 88% of RPs are vulnerable to this exploit Exploit 2 dynamically loads the SDK Successful on all RPs except those that use different HTTP domain for receiving authorization responses 10

IMPERSONATION This vulnerability works by sending a stolen or guessed SSO credential to RP’s sign-in endpoint through an attacker-controller user agent 9% of RPs use user’s IdP profile as an SSO credential Successfully carried out if: Attacker can obtain or guess a copy of victim’s SSO credentials SSO credentials are not limited to one-time use RP in question does not do proper checking 11

SESSION SWAPPING Exploiting the lack of contextual binding vulnerability A successful exploit allows an attacker to stealthily log victim user into RP as the attacker to spoof victim’s personal data or mount an XSS attack Intercepts SSO credential from IdP, embedding it in an HTML construct 12

FORCE-LOGIN CSRF Allows an attacker to stealthily force a victim user to sign into the RP Attack URL is usually embossed in an HTML construct causing automatic issue of malicious request After a successful attack, an adversary can use CSRF attacks to alter user’s profile information of 21% of evaluated RPs It can also actively carry out subsequent attacks without waiting for the user due to the automatic authorization granting feature 13

RECOMMENDATIONS For IdPs Explicit authorization flow registration Whitelist redirect URLs Support token refresh mechanism Enforce single-use of authorization code Avoid saving access token to cookie Explicit user content Explicit user authentication For RPs SSO Domain separation Confidentiality of SSO credentials Authenticity of SSO credentials 14

CRITICISM Restriction to systems using English Study concentrates on specific attacks OAuth protocol concerning mobile devices? Only examined high profile IdPs and RPs found in 1,000 most-visited websites Realistic vulnerabilities? Who takes the responsibility? IdPs or RPs or both? 15

REALISTIC VULNERABILITIES? Study does not explore the root causes of these vulnerabilities in depth The extent to which these vulnerabilities exist in the wild has not been shown As a result, authors advise mitigations that may be ineffective in practice 16

TRUSTING RPS? Authors recommend a range of mitigation techniques for RPs to implement secure systems Can we trust RPs with correctly managing their implementations? No Instead, IdPs should force proper implementations through: Providing correct and complete developer tools Forcing correct RP implementations Mandating the use of state parameter Providing proper documentation 17

SUMMARY OAuth 2.0 favours simplicity over security Authors believe that OAuth 2.0 at the hand of most developers is likely to produce insecure implementations Critical vulnerabilities discussed are caused by a set of design decisions 18

Questions? 19